Payment card networks are built on a web of contractual arrangements containing incentives and allocations of risk. A common assumption among merchants and issuing banks is that merchants are wholly liable for expenses incurred as a result of a data breach. But recent decisions in three federal courts send a message that this assumption doesn’t always hold. In a three-part series, we will discuss recent case law on the topic and how that impacts contracts at all levels of the vertical.
In Southern Independent Bank v. Fred’s Inc., the U.S. District Court for the Middle District of Alabama denied Southern Independent Bank’s (“SIB”) motion for class certification following a data breach which affected over 2,500 banks across the country. SIB, a community bank in Alabama, brought a class action against Fred’s, Inc. (“Fred’s”), a retail chain selling general goods, in response to a data breach in which hackers harvested credit and debit card payment data from Fred’s stores. As the district court’s opinion outlines, the breach harmed not only consumers, but also the financial institutions that issued the cards to their customers.
Financial institutions like SIB serve as issuing banks that provide credit and debit cards to their customers. Merchants like Fred’s then rely on an acquiring bank in order to access the payment networks between bank card associations, such as Visa and Mastercard, and issuing banks like SIB.
Both issuing and acquiring banks are bound by Visa and Mastercard’s extensive rules by contract with the card brands. Among those rules is the payment card industry’s data security standard (“PCI-DSS”). Thus, when a merchant like Fred’s comes into the payment network through an acquiring bank, the contract between the merchant and the acquiring bank also binds the merchant to the card brand rules and the PCI-DSS.
The district court summarized the relationship between the financial institutions and merchants succinctly and illustrated how the parties to the networks were related. It included the below graphic based on diagrams other courts have used:
As the court explained:” [T]he vertical lines with arrows starting from Visa and MasterCard and moving downward represent the series of contractual relationships that parallel the two sides of the payment card networks. The horizonal line at the bottom connecting cardholders and merchants represents the connection between the two sides when cardholders transact with merchants. Finally, the [red] diagonal line represents the relationship that the lawsuit is about: the one between a merchant and an issuing bank.”
As such, when a merchant like Fred’s suffers a data breach, the financial institutions operating as issuing banks experience the ripple effect of damages from the infiltration. These include, according to SIB, fraud losses, card reissuance costs, lost revenue, and ancillary costs stemming from Fred’s negligent failure to maintain adequate cybersecurity in compliance with the PCI-DSS.
Ultimately, the court concluded that SIB satisfied the requirements for class certification, but it could not ultimately support a grant of class certification. Alabama’s choice of law rules would necessitate adjudicating claims of negligence under the laws of each plaintiff’s jurisdiction, and the court determined that “managing a class of 2,500 banks, 1 million cards, and adjudicating claims under all fifty-one U.S. jurisdictions would be highly impractical.” Therefore, SIB would have to advance the case as an individual negligence action against Fred’s.
This opinion is instructive not only for litigating class actions, but also for understanding the different ways courts interpret payment card contracts. One of the reasons the district court refused class certification was because the variations in law posed insurmountable obstacles to class certification. It cites, for example, that SIB’s claims would be barred by the stranger rule in Pennsylvania and Massachusetts, and that the Seventh Circuit would analyze SIB’s negligence claims under the contracting parties paradigm found in Illinois and Missouri.
Consequently, variations in the law should serve as a reminder for banks and credit unions that courts interpret payments contracts in different ways. To prevent and mitigate damages, both financial institutions and merchants should be aware of the laws that govern these contracts and take steps to mitigate and allocate risk, keeping a keen eye on your jurisdiction’s laws, privity among the applicable parties, and the potential likelihood of liability.
 S. Indep. Bank v. Fred’s, Inc., No. 2:15-CV-799-WKW, 2019 WL 1179396, at *1 (M.D. Ala. Mar. 13, 2019).
 Merchants do not have a direct relationship with Visa or MasterCard; they need an acquiring bank to sponsor them into the network. Id. at *2.
 Id. at *3.
 Id. at *21.
 Id. at *18.
This post originally appeared in Frost Brown Todd’s Blockchain and Banking Blog on July 8, 2019.